Bug 698977

Summary: SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /.
Product: [Fedora] Fedora Reporter: Clyde E. Kunkel <clydekunkel7734>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: clydekunkel7734, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:be815c1d483d7a42abc5d995e48dc605b056a3355d648ece93a4c5400ce1086d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-21 16:41:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Clyde E. Kunkel 2011-04-22 13:38:49 UTC 
SELinux is preventing /usr/sbin/tmpwatch from 'read' accesses on the directory /.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow tmpwatch to have read access on the  directory
Then you need to change the label on /
Do
# semanage fcontext -a -t FILE_TYPE '/'
where FILE_TYPE is one of the following: textrel_shlib_t, httpd_cache_t, sandbox_file_t, var_lib_t, user_home_type, kismet_log_t, var_run_t, rpm_var_cache_t, home_root_t, tmpreaper_t, print_spool_t, amavis_spool_t, sysctl_crypto_t, man_t, user_home_dir_t, abrt_t, lib_t, root_t, device_t, usr_t, locale_t, etc_t, tmpfile, device_t, etc_t. 
Then execute: 
restorecon -v '/'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that tmpwatch should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tmpwatch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
Target Context                system_u:object_r:mnt_t:s0
Target Objects                / [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           tmpwatch-2.10.2-1.fc16
Target RPM Packages           filesystem-2.4.41-1.fc16
Policy RPM                    selinux-policy-3.9.16-15.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.39-0.rc3.git2.0.fc16.x86_64 #1 SMP Wed Apr 13
                              17:32:09 UTC 2011 x86_64 x86_64
Alert Count                   43
First Seen                    Fri 15 Apr 2011 12:39:01 PM EDT
Last Seen                     Thu 21 Apr 2011 11:32:01 AM EDT
Local ID                      1de5d896-8815-4052-ba88-47cad1abf0dc

Raw Audit Messages
type=AVC msg=audit(1303399921.512:120): avc:  denied  { read } for  pid=14563 comm="tmpwatch" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir


type=SYSCALL msg=audit(1303399921.512:120): arch=x86_64 syscall=open success=no exit=EACCES a0=40458b a1=0 a2=347bf98150 a3=0 items=0 ppid=14561 pid=14563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=tmpwatch exe=/usr/sbin/tmpwatch subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)

Hash: tmpwatch,tmpreaper_t,mnt_t,dir,read

audit2allow

#============= tmpreaper_t ==============
allow tmpreaper_t mnt_t:dir read;

audit2allow -R

#============= tmpreaper_t ==============
allow tmpreaper_t mnt_t:dir read;
Comment 1 Daniel Walsh 2011-04-25 13:36:44 UTC 
Are you having tmpwatch watch the /mnt directory?
Comment 2 Clyde E. Kunkel 2011-04-25 16:50:46 UTC 
Not on purpose.  This is a multi-boot test machine with numerous other distros and fedora versions.  I mount them in /mnt as part of the install process of the instant distro. After that, they are primarily referred to and only occasionally modified.
Comment 3 Daniel Walsh 2011-04-25 17:26:07 UTC 
Anything in /etc/cron.daily/tmpwatch that mentions mnt?
Comment 4 Clyde E. Kunkel 2011-04-25 22:01:51 UTC 
not that I can see....


 sudo cat /etc/cron.daily/tmpwatch
#! /bin/sh
flags=-umc
/usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \
	-x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \
	-X '/tmp/hsperfdata_*' 10d /tmp
/usr/sbin/tmpwatch "$flags" 30d /var/tmp
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
    if [ -d "$d" ]; then
	/usr/sbin/tmpwatch "$flags" -f 30d "$d"
    fi
done
Comment 5 Clyde E. Kunkel 2011-04-28 15:10:33 UTC 
Would it be advisable to run the command recommended in the troubleshooter?


#!/bin/bash
for ft in textrel_shlib_t httpd_cache_t sandbox_file_t var_lib_t user_home_type kismet_log_t var_run_t rpm_var_cache_t home_root_t tmpreaper_t print_spool_t amavis_spool_t sysctl_crypto_t man_t user_home_dir_t abrt_t lib_t root_t device_t usr_t locale_t etc_t tmpfile device_t etc_t; do semanage fcontext -a -t $ft '/'; done
Comment 6 Daniel Walsh 2011-04-28 15:18:48 UTC 
No.  Has this happened again?

Do you have special file systems mounted on /mnt or /media?
Comment 7 Clyde E. Kunkel 2011-04-28 18:33:18 UTC 
Yeah, number of occurrences at 106.  Nothing in media.

mnt has other distro root filesystems mounted in it, a seti at home partition and a vfat partition:


$ df -ahT /mnt/*
Filesystem                      Type  Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-fedora14 ext4   16G  5.2G  9.5G  36% /mnt/fedora14
/dev/mapper/VolGroup00-fedora15 ext4   16G  6.2G  8.5G  43% /mnt/fedora15
/dev/sdf6                       ext3  2.0G  198M  1.7G  11% /mnt/seti
/dev/sdf3                       vfat  9.8G   75M  9.7G   1% /mnt/share
/dev/mapper/VolGroup00-rawhide  ext4   16G  6.4G  8.3G  44% /

running in permissive mode.
Comment 8 Daniel Walsh 2011-04-28 19:10:21 UTC 
Any chance you have symbolic links into these directories?  Or bind mounts?
Comment 9 Clyde E. Kunkel 2011-04-28 19:34:43 UTC 
(In reply to comment #8)
> Any chance you have symbolic links into these directories?  Or bind mounts?

No.  However, there are symbolic links **within** the /mnt/fedora14 and /mnt/fedora15 directories
Comment 10 Daniel Walsh 2011-04-28 20:59:45 UTC 
Lets see if auditing gives us better data.  Can you turn on full auditing to see if we get a better path.


# auditctl -W /etc/shadow -p w

Next time you get this AVC see if it includes a PATH record.
Comment 11 Clyde E. Kunkel 2011-04-29 02:20:44 UTC 
(In reply to comment #10)
> Lets see if auditing gives us better data.  Can you turn on full auditing to
> see if we get a better path.
> 
> 
> # auditctl -W /etc/shadow -p w
> 
> Next time you get this AVC see if it includes a PATH record.


# auditctl -W /etc/shadow -p w
Error sending delete rule data request (No such file or directory)


Didn't work?
Comment 12 Daniel Walsh 2011-04-29 15:09:44 UTC 
Sorry
 auditctl -w /etc/shadow -p w